I'm working with a couple of API's that use basic auth. The credentials differ between environments and I have usernames and passwords as separate variables.
I really like how Paw 3 has encrypted password field and how it hides the base64 representation when using that, is there any way to have an environment variable in the encrypted field?
In the environments you can put your password in a Secure dynamic value. Then it will stay encrypted:
To insert it in the Basic Auth Dynamic value you should change to Secure field to Regular field and insert your environment variable in there:
Your password will stay encrypted as it is inside a Secure dynamic value:
Related
I'm currently developing two factor authentication based on totp. For this you have to generate a secret and save it on the server side and on the client-side (usually through the QR code).
My Question: How do I store it in the database? My requirements are that it's saved secure, preferably encrypted. Hashed doesn't work because I need to be able to have the plain-text value in order to calculate the totp secret code. When I encrypt it, with what key? Should I use a general key? Should I use the password from the user as the key? This would have the disadvantage that when a password reset is done, I can't Decrypt the totp secret key anymore.
Any ideas?
Hi I am a newbie to Meteor and I would like to know what is the use of hashedToken generated inside the Meteor.user object.
In Meteor documentation it is explained that the services object,
containing data used by particular login services. For example, its reset field contains tokens used by forgot password links, and its resume field contains tokens used to keep you logged in between sessions.
When I check the localstorage, Meteor.loginToken seems different from the hashedToken.
so my question is,
1.what is the difference between Meteor.loginToken generated in the local storage and hashedToken generated inside the service object?
2.Also why do resume.loginTokens inside service object is an array?
Any help is appreciated...
So a loginToken is a string of characters that can be left on the computer similar to a cookie token. You don't want to leave the actual username and password on a computer so the token is used instead.
The token is then used to authenticate to the server and log-in in place of a username/password.
There are a multiple of them in the array because you can be logged in on many devices at the same time. Each would have their own token.
The reason the tokens are hashed is an extra measure of security on the database. The tokens on the client are sha256 hashed and matched up to the one on the already hashed database ones to try and log in the user automatically.
The reason they are hashed is so no one can use them as loginToken localStorage form to login as a certain user by copying it from the database and pasting it as a localstorage logintoken. Its similar to a plaintext password being able to be used to log in a user.
I browse but didn't got proper solution.i am working on asp.net membership all i want to do is to retrieve user password when user apply for forgot password for condition 1. i want password to be in encrypted format in database and 2. retrieve password in decrypted format.is it possible.
Normally, encrypted passwords would be stored using a one way hash. This means
that the password cannot be decrypted once it is stored. Many authentication systems
work by taking the password ( of the user trying to authenticate ), encrypting
it using the same one way hash function as was used to store the password in the
database, and then doing a string comparison in order to determine if the
resulting encrypted password matches the one that exists in the database.
How are you determining if the user requesting the password is actually
the owner of the account ? Perhaps you can clarify your question with details
of the environment so that we may offer alternative solutions.
Use PasswordRecoveryControl
But anyhow it's not advisable to send password in plain text format.
I am using aspnet membership provider and by default HASHED password format were being used behind the scene and recently i got that password retrieval is not possible using that format. so i need to change password format to CLEAR OR ENCRYPTED however after doing this
is there any possible way to change password of existing data through database? OR i need to delete all records and start to create from scratch?
Also how one can handle situation where need to change password format from CLEAR to ENCRYPTED?
No, you will not be able to decrypt a hashed password. Hashing is by definition one-way. The two-way option available is the encrypt option, or clear.
The main function of hashing a password is for one-way encryption. Even internally when values are compared they are compared as hashed values.
[OK, technically one could decrypt a hashed value, but this enters into the realm of hackers, rainbow tables, salt values, and I do not think you wish to go there]
For more please see here
What's the best way to save user credentials in flex? Local storage doesn't seem like good place for storing confidential data, because it saves information as a plain text.
You shouldn't. Use browser cookies or a session token to identify the user to the server. For instance:
User enters username and password into a form in Flex and clicks login.
Server validates credentials. Then either in memory or in a database the server associates a random (and sufficiently secure) token with the user. Then the server returns the token to the client.
Client saves the token in either a cookie, LocalSharedObject, or just in memory. Then subsequent requests also include the token.
You can use ExternalInterface to communicate with JavaScript and store data in browser cookies.
Don't store users' name or password in cookies - create a session in the server with credentials in it, and store the session id in the browser cookies.
if your service don't support credential, then the only think you can do is save user login state in SharedObject.
You can save hash value of UserName + Random Token to SharedObject and save a copy of UserName too in SharedObject, then when application created creationComplete check wheather the hash value match with the saved user name.
the good thing about this trick is:
Password never persisted locally.
Harder to fake login because need to
match username with the hash value.
a bit hard to explain here you can check it here, source code is available for download.
User credentials are normally stored in a session variable.
You don't necessarily need to save the credentials as plain text in Local Storage; in fact, Local Storage (SharedObject) is actually serialized as AMF, so it's not plain text to begin with. Whatever medium you use to store your sensitive data, you should certainly consider using some sort of hashing or encryption techniques like SHA1 or RSA.
The difference between hashing and encryption is this:
Hashing (SHA1, MD5, etc) is a one-way encryption - in other words, it's very difficult to determine the original value of the hashed value, so what you can do is compare one hashed value to another since these hashing algorithms will always spit out the same thing.
Encryption (RSA, AES, etc) is a two-way encryption - in other words, you can determine the original value of the encrypted data, usually by using a public/private key combination
It really depends on what you're trying to do.
Hope you come right
SharedObject is a very bad place to store your password in.
Please see this:
http://livedocs.adobe.com/flex/3/html/help.html?content=security2_22.html